Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


need virus help/identification: Windows Explorer hijacked?

  • Please log in to reply
1 reply to this topic

#1 robdrake


  • Members
  • 2 posts
  • Local time:02:44 AM

Posted 20 December 2011 - 03:44 PM

My OS is Windows 7. Sorry this post is lengthy but I feel there are some variables here which should be noted by those more knowledgeable than myself.

Other than a brief run-in with the conficker worm and a few silly trojans/adware, I've never really had a problem with viruses in my 15 or so years of avid computer use. Partly due to the fact that I always use virus protection, and an administrator account to prevent anything from making changes without my knowledge, --a particular factor which seems to be unaddressed in many virus removal guides and I fear may of ended up being part of my ultimate problem.

This all changed about two weeks ago when I found my system had been infected with the System Fix virus. I instantly realized it was fake, and an infection, and found guides on bleepingcomputer which helped me remove it successfully (so mad props for that). Within the next week, system fix had infected my user account 3 more times but I was able to remove it in minutes. Then a few days ago I found I had been infected yet AGAIN but this time with Win 7 Security 2012. Also, I received a message asking for my administrator password because Windows Explorer was attempting to make changes to my computer. Uh oh, Cheeto! I was kinda drunk when the infection attacked so I simply logged on to my unaffected administrator account and watched my movies using that, thus leaving the task of removing Win 7 Security for the following morning.

The next day I logged on to my account ready to kick some more virus butt. Immediately, I was prompted for my admin password to allow windows explorer to change computer settings. I clicked No and windows explorer shut off. $#!%. Won't have too much luck following the removal guide if I can't even get to files.

Since the fact that I use an admin account to allow installation/changes to anything isn't addressed in any of the guides, I figured I had to simply let the virus fully install before I could remove it. I re-logged and this time I allowed windows explorer to make the changes it wanted. At least now I could access my files...... WRONG. Whenever I attempted to open any folder I would get random bullcrap errors and I simply had no access to anything.

I tried again in safe mode. I could actually access folders here, but windows explorer would "stop working" after about 45 seconds and restart itself . Despite this I was still able to perform the first step in the Bleepingcomputer Win 7 Security Uninstall Guide. I ran FixNCR.reg from my flash drive but received an error stating the registry files were in use and could not be modified. $#!%.
I re-logged, this time out of safe mode. I couldn't access any folders still, but I used Run commands to access the files on my flash drive. This time FixNCR.reg worked and the registry files were fixed. I then ran Rkill to terminate malware processes. Rkill worked, terminating processes from conhost.exe and werfault.exe (both of which are windows processes), but as soon as it did work windows explorer would restart, ask me for admin password, and put me right back at square one. $#!%.

About this time I realized that Win 7 Security 2012 had not been running the entire time. In fact, the only time it ran was the very first time it attacked. Since then I haven't had a fake windows GUI/pop-up or symptom relating to it at all. This leads me to believe I have a nastier virus --one that has hijacked windows explorer in such a way that even Win 7 Security cannot properly work. I also noticed that every time I give windows explorer permission to make changes, it actually appears to merge my administrator account with my regular user account, despite that my admin account hasn't had any problems or symptoms at all.


So my conclusions thus far are this: either the presence of my administrator account has prevented win 7 security from properly attacking and has caused more dire problems, or that I have a more powerful virus which attacked at the same time. So far my administrator account I'm using to make this post and research information has gone entirely unaffected by any of this... up until a few seconds ago when malwarebytes blocked a process from trojan.fakealert, a process which I believe is associated with System Fix. euuuuughhhhhhhhhhh

So yeah It's pretty obvious there is some sort of horrible vulnerability on my system, one I plan to remedy through research and by purchasing malwarebytes. The problem is I need to get these current infections the hell off my system before I can do any of this. I'm not about to go making online purchases with this stuff on my computer.

Lots of thanks to anyone who even reads this. If you have any questions, feel free.

Edited by robdrake, 20 December 2011 - 05:40 PM.

BC AdBot (Login to Remove)


#2 robdrake

  • Topic Starter

  • Members
  • 2 posts
  • Local time:02:44 AM

Posted 20 December 2011 - 05:54 PM

Alright so I created this topic and then I went and shot some guns. Good stress relief. I then came home and all my user accounts seem completely fine and virus free... WHAT THE HELL IS GOING ON?!?

The only thing that changed between typing the first post of this topic and now, is malwarebytes blocking that trojan.fakealert process while I was making this topic.

I'm not convinced I'm out of the woods. Something here is really fishy... and regardless I need to plug this vulnerability once and for all. If anyone could point me in the right direction for accomplishing this, I would greatly appreciate it.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users